Allow Craft CMS editors to insert Twig in CMS entries

Sometimes there are unique content requirements that require content editors to insert Twig code in Craft CMS entries. However this raises several security concerns and issues. In this post I'll highlight the solution I developed for my blog.

We could just create a new field, take the raw output and throw it into the "template_from_string" Twig function. However doing that allows the execution of dangerous Twig functions. So we need to restrict what functions and filters are allowed to be used when inserting content from the CMS.

Luckily for us Twig provides something called "sandbox" mode that allows us to do just that. First you need to configure Craft to load your module if you haven't already. It should be enough to add " 'bootstrap' => ['my-module'], " to "config/app.php". If you have a default installation this line should already be present but commented out.

Now create a new php file called "Sandbox.php" in the modules folder. This is where our Twig sandbox configuration will go. You will be able to configure what you deem to be safe for your site individually.

The sandbox is now up and running. You can now configure what filters, functions, methods and properties should be considered safe in the static arrays. You can find the full list of filters and functions here: https://twig.symfony.com/doc/2...

This is the configuration I use for my blog but YMMV so consider reading through the Twig documentation and deciding for yourself:

Now we need to render it in a template. To do this simply create a new field that will output plain text. I recommend installing the Code Mirror plugin so you have a better way of inserting this content in the CMS but that's of course up to you.

After creating out field we can render it like this (I called the field I created "twig" in this example):